Ben Kallus
Ben Kallus
From RFC 7230: > If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt...
I reported this privately on June 2, so I'm reporting it publicly now. Try sending Gunicorn the following payload: ``` GET / HTTP/1.1\r\n Host: a\r\n Useless:\n\nGET / HTTP/1.1\nHost: a\r\n \r\n...
### Describe the bug Absolute URLs are permitted to have empty hosts in RFC 3986. Relevant grammar rules: ``` host = IP-literal / IPv4address / reg-name reg-name = *( unreserved...
**I'm submitting a ...** - [X] bug report - [ ] feature request - [ ] question about the decisions made in the repository **Do you want to request a...
**I'm submitting a ...** - [X] bug report - [ ] feature request - [ ] question about the decisions made in the repository **Do you want to request a...
The HTTP standard has a grammar rule that defines valid HTTP methods. This patch checks that methods conform to that rule. Note that this does not preclude a user from...
# Header names RFC 9110 says that HTTP header names are permitted to contain only the following characters: > ``` > "!" / "#" / "$" / "%" / "&"...
ATS's chunked message body validation has problems dealing with malformed chunk sizes. When a chunk size matches the following regular expression: `\d+[^\d]+` (i.e. some digits followed by some non-digits) ATS...
RFCs 9110 and 9112 define the `chunk-ext` rule (and its dependencies) as follows: ``` chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) BWS =...
ATS accepts and forwards header names containing the following characters, all of which RFC 9110 does not permit in header names: `\t`, ` `, `"`, `(`, `)`, `,`, `/`, `;`,...